Title: Some Network Attacks and Lessons Learned
1Some Network Attacksand Lessons Learned
- Notes for CSCI 4220 and CSCI 5220
2Lesson Objectives
- Learn about network protocol attacks
- Not concerned with application-level attacks
- Learn how to avoid these attacks
- Explore lessons learned things to avoid when
designing new protocols
3Background IP Packets
0 7 8 15 16 31 16 31
Vers 4 IHL ToS Total Length Total Length
ID (for fragmentation) ID (for fragmentation) ID (for fragmentation) Flags Fragment Offset
TTL TTL Protocol Header Checksum Header Checksum
IP Source Address IP Source Address IP Source Address IP Source Address IP Source Address
IP Destination Address IP Destination Address IP Destination Address IP Destination Address IP Destination Address
Options (usually empty) Options (usually empty) Options (usually empty) Options (usually empty) Options (usually empty)
Data Data Data Data Data
- Everything is just bits being transmitted
- Can all be tampered with!
- Header checksum is not cryptographic for
detecting transmission errors, not tampering
4Field Tampering
- Attack type 1 Put invalid data in fields
- Example 1 Ping of Death
- Too large ping packet crashes machine
- Example 2 LAND Attack
- Specially crafted packet with both source and
destination set to victim address, with fields
that make machine lock up
5IP Spoofing
- Smurf Attack (Simplified)
Intermediary 123.45.67.89
Attacker 24.3.29.123
Victim 209.12.17.35
6IP Spoofing
- Smurf Attack (DoS amplification)
Intermediaries 123.45.67.1 123.45.67.2 123.45.67.3
Attacker 24.3.29.123
Victim 209.12.17.35
Works particularly well when Attacker-Intermediari
es connection is lower bandwidth than
Intermediaries-Victim
7IP Spoofing Countermeasures
- Filter out broadcast messages at gateway
- Doesnt work if intermediary inside border!
- In general Filter out LAN-only messages across
border - Egress filtering
- Only let out packets with appropriate source
addrs - Doesnt stop you from being an intermediary or a
victim think of it as being a good netizen
8TCP Packets
TCP adds sessions or connections to the bare
IP protocol
0 15 15 16 31
Source Port Source Port Source Port Destination Port Destination Port
Sequence Number Sequence Number Sequence Number Sequence Number Sequence Number
Acknowledgment Number Acknowledgment Number Acknowledgment Number Acknowledgment Number Acknowledgment Number
Data Offset Data Offset Flags Window Window
Checksum Checksum Checksum Urgent Pointer Urgent Pointer
Options Options Options Options Options
Data Data Data Data Data
Flags
URG Urgent ptr valid RST Reset flag
ACK ACK valid SYN Synchronize seq s
PSH Push function FIN Finish of connection
9The 3-way handshake
Labels below give (Flags, Seq, Ack)
Server
Client
- To establish connection, client must prove that
it received the SYNACK packet! - SYNACK packet routed to system with source
address from first SYN packet - Since based on routing, only secure back to the
subnet of the source
10SYN Issues Predictability
- Sequence numbers should be unpredictable
- Most systems today select random values that meet
some necessary conditions - Otherwise
Client
Server
Data pretending to come from fake Src
Particularly dangerous when fake Src is a
trusted IP address
11SYN Issues SYN Flooding
Server Data Structures
Client
Server
- DoS isnt due to traffic volume but to resource
exhaustion (memory) in the server O.S. - Early network stacks had a severely limited
number of half-open structures available - Can spoof SRC address with non-existent host
12SYN Flooding Solutions
- SYN cookies
- Basic idea Use cryptography to avoid saving
state - Specifically Store info in Seq to verify upon
ACK - Time Increments every 64 seconds
- MSS Maximum Segment Size (must be remembered!)
- Cryptograph hash w/secret gives unpredictability
- Only the server and the receiver of the seq can
reproduce seq - Not perfect Limited MSS options, 24-bits can be
brute-forced, - Router solutions (protect hosts without modifying
hosts) - Rate limiting/shaping, Cisco router TCP
Intercept feature,
Time t MSS Hash(secret, srcIP, destIP, sPort, dPort, t)
5 bits
3 bits
24 bits
13Combining TechniquesThe Mitnick Attack
SYN Flood to disable network
Trusted Admin server
Attacker
Target
- Lessons learned
- In network stack Seqs must be unpredictable!
- In network setup Should filter out local srcIPs
coming from outside - In application IP-based trust is a very bad
idea!
14Message Interception
- Original Ethernet
- All systems on a LAN see all traffic
- Usually ignore all but to them (based on MAC
addr) - However Interfaces can be put into promiscuous
mode - Ethernet evolution 1 Hubs
- Star topology, but all traffic still to all hosts
- Ethernet evolution 2 Switches
- Switch remembers which MAC addresses are
connected to which ports, and sends traffic only
to addressed host
Shared medium
15ARP Finding the right host
- Problem
- Ethernet works on MAC addresses (doesnt
understand IP) - IP works on IP addresses (doesnt understand
Ethernet) - How do we get a packet to the right host?
- Answer The Address Resolution Protocol (ARP)
- Example Host 10.1.1.42 wants to send to
10.1.1.92 - But! Only knows IP address, not MAC address
- So Broadcasts an ARP message on Ethernet saying
Who has 10.1.1.92? - 10.1.1.92 responds with I have 10.1.1.92. My
MAC is 00022d9a2772 - Now 10.1.1.42 sends over Ethernet to this MAC
16When ARP goes bad ARP Spoofing
- Performance Hosts keep an ARP Table of known
IP address lt-gt MAC mappings - Doesnt have to ask if MAC address known
- Updates table with each I have a.b.c.d message
- Expires mappings regularly (in case IP moves)
- ARP spoofing To sniff on a switched Ethernet
- Attacker (on same LAN) sends out I have a.b.c.d
messages for target machine (or all machines!) - Packets then sent to the attacker rather than the
destination (which could be the gateway router) - Attacker can then forward packets so no
disruption just monitoring
17ARP Spoofing Countermeasures
- Static ARP tables
- Sensitive subnets should use static ARP tables
- Mappings dont expire
- Mappings are hard-coded to be genuine by the
administrator - Not perfect MAC address spoofing still
possible! - Possible future directions
- A better solution is still an unresolved research
issue - Some suggest authenticated ARP
- Uses digital signatures (PK Crypto), so slow
and ARP needs to be very low overhead!
18Fragmentation issues
- Fragmentation Breaking up long IP packets to
fit in a particular type of low-level link - Example Slow PPP might use maximum packet
length of 500 bytes for responsiveness vs.
typical Ethernet length 1468 bytes - Security issues
- Using fragmentation to avoid an Intrusion
Detection System - Break up a signature into multiple fragments
- How are overlapping packets re-assembled?
defauls
defauls
Fragment 1
t.ida
t.ida
Fragment 2
Reassembly
default.ida
defauls.ida
No signature match!
(What the host gets)
(What the IDS sees)
19Fragmentation issues Contd
- Solutions?
- Try every possible packet reassembly
- Problem n fragments gives 2n reassemblies
- Know how major OSes work and try those assemblies
- Problem What if a new machine or new network
stack? - Reassemble packets at firewall
- Only a consistent reassembled packet stream seen
inside - Problems
- Difficult to keep up with a very high bandwidth
connection at the gateway - Doesnt protect from internal attacks
20Some tools to know about
- nmap
- Network mapper See what your machines look like
to the network - ethereal
- Nice packet sniffer
- dsniff
- Sniffer with special attacks built in, such as
ARP spoofing - snort
- Combination packet sniffer and IDS
21Summary and Wrap-up
- Designing network protocols is very tricky!
- New protocols appearing every day some fix old
problems, some introduce new problems! - A good firewall/router can protect you from many
outside attacks but beware of insiders! - Crypto can protect high-level protocols, but not
much that it can do at the link or network layers - Note Wireless networks have this problem too!